Analysis
-
max time kernel
135s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 03:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dff71e3dc64515e2f73595232405abe3c47e94c550dd83ff964eb22f97e93440.exe
Resource
win7-20240508-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
dff71e3dc64515e2f73595232405abe3c47e94c550dd83ff964eb22f97e93440.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
dff71e3dc64515e2f73595232405abe3c47e94c550dd83ff964eb22f97e93440.exe
-
Size
768KB
-
MD5
a258df14d0468b7a3cf6ffdecf745628
-
SHA1
e6d07b417dd1ee547106988289c321d25cbb115c
-
SHA256
dff71e3dc64515e2f73595232405abe3c47e94c550dd83ff964eb22f97e93440
-
SHA512
f1f2a1703bfe72bdb07fc23b277e887886e2b84cf305f1a0fe5a0d2c4a7c942e141e698fd3b263b88c7179d1388a2747aae6bad7edba84ff2cc95347518ee7a2
-
SSDEEP
12288:BqLv/6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGJ:Bqjq5h3q5htaSHFaZRBEYyqmaf2qwiHP
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eebgqe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfnnmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfnnmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfokff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agkqiobl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blchmdff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqbfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlomemlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onecof32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmkibl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgkaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlknbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Angleokb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnacfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gokmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqmjen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jacnegep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfeagefd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpqgbkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aneppo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjqjpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggoaje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npipnjmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldjnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbcik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcibchgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnfmapqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijgjpip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhnichde.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklnem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobcgdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emoaopnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkqdnkge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqigee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enaaiifb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moomgl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjkag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aneppo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmdhnhkp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajbinaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mflidl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgpajdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbdijpjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jopiom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llmbqdfb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpami32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idfkednq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gomkkagl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akopoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnmeejo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhpcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdibplaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngklppei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anqfepaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnbjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhpcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddqbbo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbhnga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhegjdag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gklnem32.exe -
Executes dropped EXE 64 IoCs
pid Process 2672 Nkhfek32.exe 3996 Pfncia32.exe 3448 Pmmeak32.exe 3440 Qcncodki.exe 3576 Alkeifga.exe 4476 Ammnhilb.exe 3076 Bpgjpb32.exe 1400 Clbdpc32.exe 3904 Ddqbbo32.exe 1480 Ddhhbngi.exe 4700 Epaemojk.exe 4264 Eebgqe32.exe 2192 Egdqph32.exe 2984 Fpckjlje.exe 2632 Ggbmafnm.exe 4780 Gcngafol.exe 4224 Iqpclh32.exe 404 Iqgjmg32.exe 1132 Jakchf32.exe 872 Jnfjbj32.exe 3676 Knbinhfl.exe 4720 Ljncnhhk.exe 3244 Mdkabmjf.exe 940 Mgngih32.exe 1104 Mhppik32.exe 556 Nhdicjfp.exe 4192 Nnfkgp32.exe 960 Ogqmee32.exe 4896 Ogefqeaj.exe 3832 Pfkpiled.exe 4084 Pnfdnnbo.exe 412 Phbolflm.exe 1900 Qdllffpo.exe 436 Agaoca32.exe 1136 Bgfhnpde.exe 4636 Bnppkj32.exe 1240 Bgkaip32.exe 3320 Bfnnmg32.exe 536 Cgagjo32.exe 4788 Cfedmfqd.exe 2316 Cfgace32.exe 2496 Cppelkeb.exe 4528 Dijgjpip.exe 5088 Deagoa32.exe 4508 Dfqdid32.exe 4348 Ebokodfc.exe 1904 Eflceb32.exe 4460 Elnehifk.exe 1164 Fplnogmb.exe 1664 Fpqgjf32.exe 4768 Fiilblom.exe 3200 Fhnichde.exe 1440 Gohapb32.exe 4360 Gebimmco.exe 4236 Gcfjfqah.exe 4012 Gomkkagl.exe 4160 Gheodg32.exe 1328 Ggfobofl.exe 1088 Gcmpgpkp.exe 1812 Hfpenj32.exe 4368 Jgbhdkml.exe 1768 Jopiom32.exe 1120 Jflnafno.exe 2440 Jfokff32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oefaplcm.dll Fpqgjf32.exe File created C:\Windows\SysWOW64\Eecfah32.exe Ebbmpmnb.exe File created C:\Windows\SysWOW64\Jhdlbp32.exe Jpjhlche.exe File created C:\Windows\SysWOW64\Nicjaino.exe Ngcngfgl.exe File opened for modification C:\Windows\SysWOW64\Eecfah32.exe Ebbmpmnb.exe File opened for modification C:\Windows\SysWOW64\Epaemojk.exe Ddhhbngi.exe File created C:\Windows\SysWOW64\Ljncnhhk.exe Knbinhfl.exe File created C:\Windows\SysWOW64\Pllieg32.exe Pohilc32.exe File created C:\Windows\SysWOW64\Ciaich32.dll Koggehff.exe File created C:\Windows\SysWOW64\Jakchf32.exe Iqgjmg32.exe File created C:\Windows\SysWOW64\Lhammfci.exe Lhopgg32.exe File opened for modification C:\Windows\SysWOW64\Fcgemhic.exe Fnhppa32.exe File created C:\Windows\SysWOW64\Idonlbff.exe Idmafc32.exe File created C:\Windows\SysWOW64\Jkeedk32.exe Jalakeme.exe File created C:\Windows\SysWOW64\Qdllffpo.exe Phbolflm.exe File opened for modification C:\Windows\SysWOW64\Lpgalc32.exe Lcpqgbkj.exe File created C:\Windows\SysWOW64\Ljjpnb32.exe Lmfodn32.exe File created C:\Windows\SysWOW64\Bcngddao.exe Bgggockk.exe File created C:\Windows\SysWOW64\Ddhefceh.dll Cpcnhbjj.exe File created C:\Windows\SysWOW64\Jamiaq32.dll Hfpenj32.exe File created C:\Windows\SysWOW64\Pjidgaoa.dll Blchmdff.exe File created C:\Windows\SysWOW64\Npjnbg32.exe Mfomda32.exe File created C:\Windows\SysWOW64\Ojicgi32.dll Qkqdnkge.exe File created C:\Windows\SysWOW64\Ockhfbgl.dll Anccjp32.exe File created C:\Windows\SysWOW64\Dqigee32.exe Debfpd32.exe File opened for modification C:\Windows\SysWOW64\Nilkkq32.exe Mpdgbkab.exe File created C:\Windows\SysWOW64\Nldjnk32.exe Npmjij32.exe File created C:\Windows\SysWOW64\Kmdhdbhl.dll Olnmdi32.exe File created C:\Windows\SysWOW64\Epgpajdp.exe Ecnbgian.exe File created C:\Windows\SysWOW64\Hmdlhk32.exe Hpqlof32.exe File opened for modification C:\Windows\SysWOW64\Llpofd32.exe Llmbqdfb.exe File created C:\Windows\SysWOW64\Eqmjen32.exe Emoaopnf.exe File created C:\Windows\SysWOW64\Egdqph32.exe Eebgqe32.exe File opened for modification C:\Windows\SysWOW64\Moajmk32.exe Moomgl32.exe File created C:\Windows\SysWOW64\Poelfc32.exe Pfjgbapo.exe File created C:\Windows\SysWOW64\Bagphg32.dll Mdibplaf.exe File created C:\Windows\SysWOW64\Lmfodn32.exe Liifnp32.exe File created C:\Windows\SysWOW64\Hfncib32.dll Anqfepaj.exe File opened for modification C:\Windows\SysWOW64\Inflio32.exe Ioqohb32.exe File created C:\Windows\SysWOW64\Glgediop.dll Clohhbli.exe File created C:\Windows\SysWOW64\Palkmnim.dll Gcmpgpkp.exe File created C:\Windows\SysWOW64\Nbjpjl32.exe Ncecioib.exe File created C:\Windows\SysWOW64\Cnjbbl32.exe Cmkehicj.exe File opened for modification C:\Windows\SysWOW64\Lmfodn32.exe Liifnp32.exe File created C:\Windows\SysWOW64\Bmhibi32.exe Bdmdng32.exe File created C:\Windows\SysWOW64\Qpoaai32.dll Mnpami32.exe File opened for modification C:\Windows\SysWOW64\Omhpcm32.exe Omfcmm32.exe File created C:\Windows\SysWOW64\Amblpikl.exe Aoalba32.exe File created C:\Windows\SysWOW64\Fodobp32.dll Fcibchgq.exe File opened for modification C:\Windows\SysWOW64\Ahngmnnd.exe Agnkck32.exe File created C:\Windows\SysWOW64\Gjjfdp32.dll Pllieg32.exe File created C:\Windows\SysWOW64\Lglopjkg.exe Lppjnpem.exe File opened for modification C:\Windows\SysWOW64\Ogefqeaj.exe Ogqmee32.exe File opened for modification C:\Windows\SysWOW64\Pjahchpb.exe Pjoknhbe.exe File opened for modification C:\Windows\SysWOW64\Aoalba32.exe Aidcjk32.exe File created C:\Windows\SysWOW64\Cfbcfh32.exe Cpfkna32.exe File created C:\Windows\SysWOW64\Mdibplaf.exe Mkangg32.exe File created C:\Windows\SysWOW64\Dmiaig32.exe Ddnmeejo.exe File opened for modification C:\Windows\SysWOW64\Cmdhnhkp.exe Cdicje32.exe File opened for modification C:\Windows\SysWOW64\Hhegjdag.exe Ghcjedcj.exe File opened for modification C:\Windows\SysWOW64\Elnehifk.exe Eflceb32.exe File created C:\Windows\SysWOW64\Jopiom32.exe Jgbhdkml.exe File opened for modification C:\Windows\SysWOW64\Nldjnk32.exe Npmjij32.exe File opened for modification C:\Windows\SysWOW64\Obnlpnbm.exe Nbkojo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4956 4320 WerFault.exe 406 -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicimc32.dll" Mgngih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbjpjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgmkbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlpabkba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhghiic.dll" Mhppik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cibdlc32.dll" Hifaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbkbabje.dll" Bmhibi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfdlif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnnklg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gomkkagl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cinpdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgphggpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnjbbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgknlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgbdmfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhnmolc.dll" Bgggockk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpomglp.dll" Moomgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpgnmcdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kojdkhdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpqdd32.dll" Dmiaig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfmqapcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnakngf.dll" Nbkojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipqcn32.dll" Nlpabkba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aidcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgjkag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qonnge32.dll" Fcjimnjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdibplaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laeojd32.dll" Dbdano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbappaql.dll" Eblgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockhfbgl.dll" Anccjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onqdhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkpfjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbaipdn.dll" Emoaopnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjddehlk.dll" Mbfmha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfpenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcajd32.dll" Ljjpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkhelp32.dll" Lbnggpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgnonhdl.dll" Mmokpglb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klnkoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbpnomm.dll" Loaafnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdfmcobk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pllieg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epaemojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaokgokp.dll" Hkiclepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmkibl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikbphn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogqmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbgcpb32.dll" Fblpflfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahngmnnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhhgib32.dll" Dcmjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpcpigl.dll" Kkofofbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Offeahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaajfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngklppei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inflio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfcmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doqpjoik.dll" Aidcjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdfmcobk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmeak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naompiea.dll" Kaajfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fblpflfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqigee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moajmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbdano32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1260 wrote to memory of 2672 1260 dff71e3dc64515e2f73595232405abe3c47e94c550dd83ff964eb22f97e93440.exe 91 PID 1260 wrote to memory of 2672 1260 dff71e3dc64515e2f73595232405abe3c47e94c550dd83ff964eb22f97e93440.exe 91 PID 1260 wrote to memory of 2672 1260 dff71e3dc64515e2f73595232405abe3c47e94c550dd83ff964eb22f97e93440.exe 91 PID 2672 wrote to memory of 3996 2672 Nkhfek32.exe 92 PID 2672 wrote to memory of 3996 2672 Nkhfek32.exe 92 PID 2672 wrote to memory of 3996 2672 Nkhfek32.exe 92 PID 3996 wrote to memory of 3448 3996 Pfncia32.exe 93 PID 3996 wrote to memory of 3448 3996 Pfncia32.exe 93 PID 3996 wrote to memory of 3448 3996 Pfncia32.exe 93 PID 3448 wrote to memory of 3440 3448 Pmmeak32.exe 94 PID 3448 wrote to memory of 3440 3448 Pmmeak32.exe 94 PID 3448 wrote to memory of 3440 3448 Pmmeak32.exe 94 PID 3440 wrote to memory of 3576 3440 Qcncodki.exe 95 PID 3440 wrote to memory of 3576 3440 Qcncodki.exe 95 PID 3440 wrote to memory of 3576 3440 Qcncodki.exe 95 PID 3576 wrote to memory of 4476 3576 Alkeifga.exe 96 PID 3576 wrote to memory of 4476 3576 Alkeifga.exe 96 PID 3576 wrote to memory of 4476 3576 Alkeifga.exe 96 PID 4476 wrote to memory of 3076 4476 Ammnhilb.exe 97 PID 4476 wrote to memory of 3076 4476 Ammnhilb.exe 97 PID 4476 wrote to memory of 3076 4476 Ammnhilb.exe 97 PID 3076 wrote to memory of 1400 3076 Bpgjpb32.exe 98 PID 3076 wrote to memory of 1400 3076 Bpgjpb32.exe 98 PID 3076 wrote to memory of 1400 3076 Bpgjpb32.exe 98 PID 1400 wrote to memory of 3904 1400 Clbdpc32.exe 99 PID 1400 wrote to memory of 3904 1400 Clbdpc32.exe 99 PID 1400 wrote to memory of 3904 1400 Clbdpc32.exe 99 PID 3904 wrote to memory of 1480 3904 Ddqbbo32.exe 100 PID 3904 wrote to memory of 1480 3904 Ddqbbo32.exe 100 PID 3904 wrote to memory of 1480 3904 Ddqbbo32.exe 100 PID 1480 wrote to memory of 4700 1480 Ddhhbngi.exe 101 PID 1480 wrote to memory of 4700 1480 Ddhhbngi.exe 101 PID 1480 wrote to memory of 4700 1480 Ddhhbngi.exe 101 PID 4700 wrote to memory of 4264 4700 Epaemojk.exe 102 PID 4700 wrote to memory of 4264 4700 Epaemojk.exe 102 PID 4700 wrote to memory of 4264 4700 Epaemojk.exe 102 PID 4264 wrote to memory of 2192 4264 Eebgqe32.exe 103 PID 4264 wrote to memory of 2192 4264 Eebgqe32.exe 103 PID 4264 wrote to memory of 2192 4264 Eebgqe32.exe 103 PID 2192 wrote to memory of 2984 2192 Egdqph32.exe 104 PID 2192 wrote to memory of 2984 2192 Egdqph32.exe 104 PID 2192 wrote to memory of 2984 2192 Egdqph32.exe 104 PID 2984 wrote to memory of 2632 2984 Fpckjlje.exe 105 PID 2984 wrote to memory of 2632 2984 Fpckjlje.exe 105 PID 2984 wrote to memory of 2632 2984 Fpckjlje.exe 105 PID 2632 wrote to memory of 4780 2632 Ggbmafnm.exe 106 PID 2632 wrote to memory of 4780 2632 Ggbmafnm.exe 106 PID 2632 wrote to memory of 4780 2632 Ggbmafnm.exe 106 PID 4780 wrote to memory of 4224 4780 Gcngafol.exe 107 PID 4780 wrote to memory of 4224 4780 Gcngafol.exe 107 PID 4780 wrote to memory of 4224 4780 Gcngafol.exe 107 PID 4224 wrote to memory of 404 4224 Iqpclh32.exe 108 PID 4224 wrote to memory of 404 4224 Iqpclh32.exe 108 PID 4224 wrote to memory of 404 4224 Iqpclh32.exe 108 PID 404 wrote to memory of 1132 404 Iqgjmg32.exe 109 PID 404 wrote to memory of 1132 404 Iqgjmg32.exe 109 PID 404 wrote to memory of 1132 404 Iqgjmg32.exe 109 PID 1132 wrote to memory of 872 1132 Jakchf32.exe 110 PID 1132 wrote to memory of 872 1132 Jakchf32.exe 110 PID 1132 wrote to memory of 872 1132 Jakchf32.exe 110 PID 872 wrote to memory of 3676 872 Jnfjbj32.exe 111 PID 872 wrote to memory of 3676 872 Jnfjbj32.exe 111 PID 872 wrote to memory of 3676 872 Jnfjbj32.exe 111 PID 3676 wrote to memory of 4720 3676 Knbinhfl.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\dff71e3dc64515e2f73595232405abe3c47e94c550dd83ff964eb22f97e93440.exe"C:\Users\Admin\AppData\Local\Temp\dff71e3dc64515e2f73595232405abe3c47e94c550dd83ff964eb22f97e93440.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Nkhfek32.exeC:\Windows\system32\Nkhfek32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Pfncia32.exeC:\Windows\system32\Pfncia32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Pmmeak32.exeC:\Windows\system32\Pmmeak32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\Qcncodki.exeC:\Windows\system32\Qcncodki.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\Alkeifga.exeC:\Windows\system32\Alkeifga.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Ammnhilb.exeC:\Windows\system32\Ammnhilb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Bpgjpb32.exeC:\Windows\system32\Bpgjpb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\Clbdpc32.exeC:\Windows\system32\Clbdpc32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Ddqbbo32.exeC:\Windows\system32\Ddqbbo32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Ddhhbngi.exeC:\Windows\system32\Ddhhbngi.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Epaemojk.exeC:\Windows\system32\Epaemojk.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Eebgqe32.exeC:\Windows\system32\Eebgqe32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Egdqph32.exeC:\Windows\system32\Egdqph32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Fpckjlje.exeC:\Windows\system32\Fpckjlje.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Ggbmafnm.exeC:\Windows\system32\Ggbmafnm.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Gcngafol.exeC:\Windows\system32\Gcngafol.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Iqpclh32.exeC:\Windows\system32\Iqpclh32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\Iqgjmg32.exeC:\Windows\system32\Iqgjmg32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\Jakchf32.exeC:\Windows\system32\Jakchf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Jnfjbj32.exeC:\Windows\system32\Jnfjbj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Knbinhfl.exeC:\Windows\system32\Knbinhfl.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\Ljncnhhk.exeC:\Windows\system32\Ljncnhhk.exe23⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Mdkabmjf.exeC:\Windows\system32\Mdkabmjf.exe24⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Mgngih32.exeC:\Windows\system32\Mgngih32.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Mhppik32.exeC:\Windows\system32\Mhppik32.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Nhdicjfp.exeC:\Windows\system32\Nhdicjfp.exe27⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Nnfkgp32.exeC:\Windows\system32\Nnfkgp32.exe28⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Ogqmee32.exeC:\Windows\system32\Ogqmee32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Ogefqeaj.exeC:\Windows\system32\Ogefqeaj.exe30⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Pfkpiled.exeC:\Windows\system32\Pfkpiled.exe31⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Pnfdnnbo.exeC:\Windows\system32\Pnfdnnbo.exe32⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Phbolflm.exeC:\Windows\system32\Phbolflm.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:412 -
C:\Windows\SysWOW64\Qdllffpo.exeC:\Windows\system32\Qdllffpo.exe34⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Agaoca32.exeC:\Windows\system32\Agaoca32.exe35⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Bgfhnpde.exeC:\Windows\system32\Bgfhnpde.exe36⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Bnppkj32.exeC:\Windows\system32\Bnppkj32.exe37⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Bgkaip32.exeC:\Windows\system32\Bgkaip32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Bfnnmg32.exeC:\Windows\system32\Bfnnmg32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3320 -
C:\Windows\SysWOW64\Cgagjo32.exeC:\Windows\system32\Cgagjo32.exe40⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Cfedmfqd.exeC:\Windows\system32\Cfedmfqd.exe41⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Cfgace32.exeC:\Windows\system32\Cfgace32.exe42⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Cppelkeb.exeC:\Windows\system32\Cppelkeb.exe43⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Dijgjpip.exeC:\Windows\system32\Dijgjpip.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Deagoa32.exeC:\Windows\system32\Deagoa32.exe45⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Dfqdid32.exeC:\Windows\system32\Dfqdid32.exe46⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Ebokodfc.exeC:\Windows\system32\Ebokodfc.exe47⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Eflceb32.exeC:\Windows\system32\Eflceb32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Elnehifk.exeC:\Windows\system32\Elnehifk.exe49⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Fplnogmb.exeC:\Windows\system32\Fplnogmb.exe50⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Fpqgjf32.exeC:\Windows\system32\Fpqgjf32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Fiilblom.exeC:\Windows\system32\Fiilblom.exe52⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\Fhnichde.exeC:\Windows\system32\Fhnichde.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Gohapb32.exeC:\Windows\system32\Gohapb32.exe54⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Gebimmco.exeC:\Windows\system32\Gebimmco.exe55⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Gcfjfqah.exeC:\Windows\system32\Gcfjfqah.exe56⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Gomkkagl.exeC:\Windows\system32\Gomkkagl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4012 -
C:\Windows\SysWOW64\Gheodg32.exeC:\Windows\system32\Gheodg32.exe58⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Ggfobofl.exeC:\Windows\system32\Ggfobofl.exe59⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Gcmpgpkp.exeC:\Windows\system32\Gcmpgpkp.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Hfpenj32.exeC:\Windows\system32\Hfpenj32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Jgbhdkml.exeC:\Windows\system32\Jgbhdkml.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Jopiom32.exeC:\Windows\system32\Jopiom32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Jflnafno.exeC:\Windows\system32\Jflnafno.exe64⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Jfokff32.exeC:\Windows\system32\Jfokff32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Kiodha32.exeC:\Windows\system32\Kiodha32.exe66⤵PID:4856
-
C:\Windows\SysWOW64\Kfeagefd.exeC:\Windows\system32\Kfeagefd.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Kmbfiokn.exeC:\Windows\system32\Kmbfiokn.exe68⤵PID:3532
-
C:\Windows\SysWOW64\Liifnp32.exeC:\Windows\system32\Liifnp32.exe69⤵
- Drops file in System32 directory
PID:4372 -
C:\Windows\SysWOW64\Lmfodn32.exeC:\Windows\system32\Lmfodn32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5016 -
C:\Windows\SysWOW64\Ljjpnb32.exeC:\Windows\system32\Ljjpnb32.exe71⤵
- Modifies registry class
PID:4240 -
C:\Windows\SysWOW64\Lhopgg32.exeC:\Windows\system32\Lhopgg32.exe72⤵
- Drops file in System32 directory
PID:4880 -
C:\Windows\SysWOW64\Lhammfci.exeC:\Windows\system32\Lhammfci.exe73⤵PID:4488
-
C:\Windows\SysWOW64\Laiafl32.exeC:\Windows\system32\Laiafl32.exe74⤵PID:2508
-
C:\Windows\SysWOW64\Mjafoapj.exeC:\Windows\system32\Mjafoapj.exe75⤵PID:1844
-
C:\Windows\SysWOW64\Mpchbhjl.exeC:\Windows\system32\Mpchbhjl.exe76⤵PID:2104
-
C:\Windows\SysWOW64\Mfomda32.exeC:\Windows\system32\Mfomda32.exe77⤵
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Npjnbg32.exeC:\Windows\system32\Npjnbg32.exe78⤵PID:2072
-
C:\Windows\SysWOW64\Ndjcne32.exeC:\Windows\system32\Ndjcne32.exe79⤵PID:3504
-
C:\Windows\SysWOW64\Ngklppei.exeC:\Windows\system32\Ngklppei.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3628 -
C:\Windows\SysWOW64\Okiefn32.exeC:\Windows\system32\Okiefn32.exe81⤵PID:5164
-
C:\Windows\SysWOW64\Opmcod32.exeC:\Windows\system32\Opmcod32.exe82⤵PID:5236
-
C:\Windows\SysWOW64\Onqdhh32.exeC:\Windows\system32\Onqdhh32.exe83⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Ppdjpcng.exeC:\Windows\system32\Ppdjpcng.exe84⤵PID:5352
-
C:\Windows\SysWOW64\Pjoknhbe.exeC:\Windows\system32\Pjoknhbe.exe85⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Pjahchpb.exeC:\Windows\system32\Pjahchpb.exe86⤵PID:5436
-
C:\Windows\SysWOW64\Qkqdnkge.exeC:\Windows\system32\Qkqdnkge.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5480 -
C:\Windows\SysWOW64\Qnamofdf.exeC:\Windows\system32\Qnamofdf.exe88⤵PID:5544
-
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe89⤵PID:5584
-
C:\Windows\SysWOW64\Aqbfaa32.exeC:\Windows\system32\Aqbfaa32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5628 -
C:\Windows\SysWOW64\Agnkck32.exeC:\Windows\system32\Agnkck32.exe91⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Ahngmnnd.exeC:\Windows\system32\Ahngmnnd.exe92⤵
- Modifies registry class
PID:5732 -
C:\Windows\SysWOW64\Akopoi32.exeC:\Windows\system32\Akopoi32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5772 -
C:\Windows\SysWOW64\Bjcmpepm.exeC:\Windows\system32\Bjcmpepm.exe94⤵PID:5804
-
C:\Windows\SysWOW64\Bggnijof.exeC:\Windows\system32\Bggnijof.exe95⤵PID:5880
-
C:\Windows\SysWOW64\Cinpdl32.exeC:\Windows\system32\Cinpdl32.exe96⤵
- Modifies registry class
PID:5944 -
C:\Windows\SysWOW64\Cghgpgqd.exeC:\Windows\system32\Cghgpgqd.exe97⤵PID:6008
-
C:\Windows\SysWOW64\Dbdano32.exeC:\Windows\system32\Dbdano32.exe98⤵
- Modifies registry class
PID:6048 -
C:\Windows\SysWOW64\Djpfbahm.exeC:\Windows\system32\Djpfbahm.exe99⤵PID:6124
-
C:\Windows\SysWOW64\Eblgon32.exeC:\Windows\system32\Eblgon32.exe100⤵
- Modifies registry class
PID:3128 -
C:\Windows\SysWOW64\Ehklmd32.exeC:\Windows\system32\Ehklmd32.exe101⤵PID:5184
-
C:\Windows\SysWOW64\Ebbmpmnb.exeC:\Windows\system32\Ebbmpmnb.exe102⤵
- Drops file in System32 directory
PID:5300 -
C:\Windows\SysWOW64\Eecfah32.exeC:\Windows\system32\Eecfah32.exe103⤵PID:5360
-
C:\Windows\SysWOW64\Fbggkl32.exeC:\Windows\system32\Fbggkl32.exe104⤵PID:5428
-
C:\Windows\SysWOW64\Fkbkoo32.exeC:\Windows\system32\Fkbkoo32.exe105⤵PID:5492
-
C:\Windows\SysWOW64\Fblpflfg.exeC:\Windows\system32\Fblpflfg.exe106⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Fiheheka.exeC:\Windows\system32\Fiheheka.exe107⤵PID:5612
-
C:\Windows\SysWOW64\Gklnem32.exeC:\Windows\system32\Gklnem32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5724 -
C:\Windows\SysWOW64\Gbecljnl.exeC:\Windows\system32\Gbecljnl.exe109⤵PID:5796
-
C:\Windows\SysWOW64\Golcak32.exeC:\Windows\system32\Golcak32.exe110⤵PID:5904
-
C:\Windows\SysWOW64\Gammbfqa.exeC:\Windows\system32\Gammbfqa.exe111⤵PID:5968
-
C:\Windows\SysWOW64\Hifaic32.exeC:\Windows\system32\Hifaic32.exe112⤵
- Modifies registry class
PID:6060 -
C:\Windows\SysWOW64\Haafnf32.exeC:\Windows\system32\Haafnf32.exe113⤵PID:1048
-
C:\Windows\SysWOW64\Iabodcnj.exeC:\Windows\system32\Iabodcnj.exe114⤵PID:5336
-
C:\Windows\SysWOW64\Ifphkbep.exeC:\Windows\system32\Ifphkbep.exe115⤵PID:5564
-
C:\Windows\SysWOW64\Iohlcg32.exeC:\Windows\system32\Iohlcg32.exe116⤵PID:5720
-
C:\Windows\SysWOW64\Jjgcgo32.exeC:\Windows\system32\Jjgcgo32.exe117⤵PID:5848
-
C:\Windows\SysWOW64\Kkofofbb.exeC:\Windows\system32\Kkofofbb.exe118⤵
- Modifies registry class
PID:6044 -
C:\Windows\SysWOW64\Kblkap32.exeC:\Windows\system32\Kblkap32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5148 -
C:\Windows\SysWOW64\Lbnggpfj.exeC:\Windows\system32\Lbnggpfj.exe120⤵
- Modifies registry class
PID:5468 -
C:\Windows\SysWOW64\Lobhqdec.exeC:\Windows\system32\Lobhqdec.exe121⤵PID:5740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-